Bank robbers don’t need balaclavas and shotguns anymore; they just need computers and stable networks!
This is what the revelations of 36 significant data breach notifications from the boards of financial services firms in just four months give substance to. The breaches are said to have occurred after the Australian Prudential Regulation Authority’s (APRA) new prudential standard for cybersecurity – the CPS 234, came into effect.
These worrisome information security breach statistics, of course, are not meant to panic you, but as APRA warns, “Australian banks have to expect a ‘tougher approach’ to security and improve their poor ‘cyber hygiene’”.
Before diving into the details of the phrases mentioned above, get an overview of the latest IT security standard issued by APRA in July 2019, in response to the ever-increasing threat of cyber-attacks…
…The CPS 234!
CPS 234 requires all APRA-regulated entities, which includes around 600 institutions, to take responsibility for their data security entirely – from defining security-related roles of boards and upper management to notify the regulator of material information security conflicts within the timeframe of 72 hours.
The latest standard also wants organizations to obtain assurance from third parties concerning their information security and compliance. Some firms have taken a “hands-on approach”, carrying out their own audits of third parties. And while APRA does not explicitly demand that, it does motivate organizations to do something more than simply take third parties’ assurances at face value.
So far, approximately 70 percent of the APRA regulated firms have reported gaps in their CPS 234 compliance. Fret not if you are one among those who are finding it arduous to comply with the new standard! Seek support from experts at Cybernetic Global Intelligence (CGI) – a renowned cybersecurity agency in Australia.
Now, for all those who are already CPS 234 compliant, let us clarify the above mentioned ongoing concern:
According to APRA executive board member Geoff Summerhayes, “APRA is concerned about the poor CYBER HYGIENE of some institutions, including the use of systems which no longer receive security support or updates, or lack comprehensive security patching regime.”
So, what is this CYBER HYGIENE?
In general, CYBER HYGIENE is a term that refers to all the practices followed by users of digital devices as part of a routine to promote online security, as well as maintain adequate system health.
Notwithstanding the fastly growing number of security breach incidents that make headlines, APRA found that a few financial agencies are still lacking several essential elements required to maintain sufficient CYBER HYGIENE.
So, it’s of no surprise that Summerhayes said the regulator will frequently be challenging entities on their cyber posture and will be utilizing data-driven insights to identify the matters which require more detailed scrutiny. APRA will eventually, baseline metrics for cyber securities, and Summerhayes mentioned, “CPS 234” as “the floor” for that. He also announced APRA would be “constructively tough” in how it manages entities towards cyber resilience.
Room For Improvement?
According to cyber vendors, it is clear from the initial figures that there is room for improvement among the regulated financial institutions of Australia.
Kevin Vanhaelen – the Asia-Pacific regional director of network security vendor Vectra AI, told that the 36 breaches already reported are the underrepresentation of real attacks, and more of the already occurred breaches will come to light shortly.
“It takes on average around 200 days before a breach is detected, the majority of which are only discovered after receiving a notification from an external party. With a cyber-attack having the ability to put a bank, insurer and super fund out of business, these time frames are simply unacceptable,” Vanhaelen said.
He said that preventing all attacks on financial institutions seems impossible for the time being; however, the response times should have to be brought down considerably.
“By stopping an attack in progress, it is possible to limit its spread and reduce damage. A contemporary security architecture must be adaptive and integrate defense, detection, response, and learning dimensions into an iterative process.”